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Baby Modula-3 and a theory of objects 

Martin Abadi 



Abstract 

Baby Modula-3 is a small, functional, object-oriented programming language. It is in- 
tended as a vehicle for explaining the core of Modula-3, from a biased perspective: Baby 
Modula-3 includes the main features of Modula-3 related to objects, but not much else. 
To the theoretician, Baby Modula-3 provides a tractable, concrete example of an object- 
oriented language, and we use it to study the formal semantics of objects. 

Baby Modula-3 is defined with a structured operational semantics and with a set of 
static type rules. A denotational semantics guarantees the soundness of this definition. 



1 Introduction 

Baby Modula-3 is a small, functional, object-oriented programming language with 
a static type system. It is intended as a distillation and an explanation of the core 
of Modula-3 (Nelson, 1991), from a biased perspective: Baby Modula-3 includes the 
main features of Modula-3 related to objects, but not much else. To the theoreti- 
cian, Baby Modula-3 provides a tractable, concrete example of an object-oriented 
language, and we use it to study the formal semantics of objects. Our study deals 
with both operational and denotational semantics. 

The language is defined with a structured operational semantics in the style of 
Plotkin (1981) and with a set of type rules in the usual natural-deduction format. 
We prove a subject-reduction theorem, which implies that a well-typed program 
never produces run-time errors, such as the infamous "message not understood" 
error of Smalltalk. 

Further, we give a denotational semantics for Baby Modula-3. The denotational 
semantics leads to a different proof that well-typed programs do not produce errors. 
It also provides a basis for axiomatic reasoning about Modula-3 programs, in that 
various rules for program verification can be proved sound with respect to the 
semantics. 

The semantics of object types is based on a simple analogy with recursive record 
types. Intuitively, the type of objects with one field f of type B and one method m 
of return type C can be viewed as the type T of records with two fields, f of type 
B and m of type T— >C. The definition of T is recursive, since T appears in the type 
of m. This analogy has been suggested in the literature, in different frameworks; 
Cardelli (1986) and Mitchell (1990) have had some success with it. The analogy 
breaks, however, in the treatment of subtyping. The recursive record types used 
are not in the necessary subtype relations, because the recursion involved is not 
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covariant. The difficulty in the combination of subtyping and recursion appears 
to be a well-known stumbling block in the folklore on object types. We surmount 
this difficulty with rather elementary techniques. The resulting semantics does not 
require much beyond recursive record types, but provides an adequate treatment 
of subtyping. 

The next section is an informal overview. Section 3 describes the syntax of Baby 
Modula-3; Section 4 gives its semantics. The final section is a comparison with 
related works on the theory of typed object-oriented languages. 

2 Overview 

In this overview we introduce our treatment of objects, by comparing objects to 
records. We describe the expressions that denote objects in Baby Modula-3; we also 
describe the operations on objects, and present some typical reduction rules. Then 
we discuss issues in the design of type rules for Baby Modula-3. Finally, we present 
the main theme of our denotational semantics. 

2.1 Expressions and their reduction 

In Baby Modula-3, objects are made up of fields and methods; Baby Modula-3 
is delegation-based in the sense that methods are directly attached to individual 
objects, and not to classes (see Section 5). We write nil for the object with no fields 
and no methods. If a is an object then we write a[f = b,m= c] for a's extension 
with a field f and a method m, with values b and c. 

Throughout, we assume that the labels of fields and methods are taken from dis- 
joint sets, so that it is always clear whether a field or a method is under considera- 
tion. Furthermore, we contemplate extension with exactly one field and one method 
at a time, for convenience and with no loss of generality. Although a field can be en- 
coded as a method that ignores its argument, we treat fields explicitly, because the 
definitions and proofs for fields are good introductions to the corresponding ones for 
methods. In informal discussions, we sometimes lighten our notation, for example 
abbreviating nil[f = b, m = c][f ' = b', m' = c'] by [f = b, m = c, f ' = b', m' = c']. 

An object is like an extensible record in many respects (e.g., (Wand, 1987; 
Cardelli, 1992)). For example, the object [f = b,m = c] is like the record with the 
fields f and m with the respective values b and c. The operations on objects corre- 
spond to operations on records, too: 

• Objects can be extended with new fields and methods, much like records can 
be extended with new fields. 

• New values can be assigned to the fields and methods of existing objects. 
For methods, this is called overriding, but in our treatment overriding is 
just assignment. (Modula-3 permits overriding only at the level of types; see 
Section 3.) 

• Finally, fields can be read and methods can be invoked. Reading a field from 
an object is much like reading it from a record. On the other hand, invoking 
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a method has the effect of extracting its value, then applying this value to 
the object, and returning the result of the application. 

We use the reduction rules that reflect the difference between fields and methods 
as an introduction to our structured operational semantics. In these rules, a =>• a' 
may be read "the expression a reduces to the result a'." Results are expressions 
of special forms; in particular, it is straightforward to determine whether a result 
represents an object and to examine its fields and methods. A result reduces only 
to itself. 

a =>• a' f = b in a' 
a.f => b 

a =>• a' m = c in a' c ( a ') d 
a.m =>• d 

The first rule says: if a reduces to a', and a' is an object with the field f with 
the value b, then a.f reduces to b. On the other hand, the second rule says: if a 
reduces to a', and a' is an object with the method m with the value c, and further 
the application c(a') reduces to d, then a.m reduces to d. 

The structured operational semantics includes many rules of the general form of 
the ones just given. There is one "normal" rule for each syntactic construction in 
the language. In addition, there are rules for reductions that produce a run-time 
error, represented by the special result wrong. For example, we have the rule: 

a =>• a' no f in a' 
a.f =>• wrong 

It says: if a reduces to a', and a' is not an object with the field f (possibly not an 
object at all), then a.f reduces to wrong, that is, a.f produces a run-time error. 

2.2 Types 

In Baby Modula-3, certain types are distinguished as object types. There is a type 
of all objects, called Root. The type Root is the largest object type, and even 
the empty object nil has type Root. Object types can be extended, much like 
objects themselves: if A is an object type without the field f or the method m then 
A[f : B, m : C] is an object type, the extension of A with a field f of type B and a 
method m of return type C. 

For example, Root[f : Nat,m : Nat][f' : Nat,m' : Nat] is an object type, which we 
may write [f : Nat, m : Nat, f ' : Nat, m' : Nat] adopting for object types an abbrevia- 
tion analogous to the one for objects. Further, object [f = b, m = c, f ' = b', m' = c'] 
has type [f : Nat,m : Nat,f' : Nat,m' : Nat] if the values of the fields f and f' are 
always natural numbers and invoking the methods m and m' always returns natural 
numbers. 

There are many ways of formalizing this informal description of object types 
and the example. Obtaining a sound, tractable, and useful set of type rules is not 
entirely straightforward. 

According to our formulation, the object [f = b,m = c,f' = b',m' = c'] has type 
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[f : Nat, m : Nat, f ' : Nat, m' : Nat] if b and b' have type Nat and c and c' have type 
[f : Nat,m : Nat,f' : Nat,m' : Nat]— »Nat. Since we preserve membership in the type 
[f : Nat, m : Nat, f ' : Nat, m' : Nat] as an invariant for the object, the methods m and 
m' are invoked only with arguments of this type. This motivates the condition that 
c and c' have type [f : Nat, m : Nat, f ' : Nat, m' : Nat]-»Nat. 

Generalizing from this example, we obtain the following type rule for overriding 
(a slightly simplified, weakened version of the rule presented in Section 3): 

E h a : A E h c : A-»C m : C in A 
E h a.m := c : A 

This rule may be read: given the environment E, if a has type A, c is a function 
from A to C, and A is an object type with method m with return type C, then it is 
legal to assign c to a.m, and the new value of a has type A. A similar rule deals with 
adding a method to an object. As explained below, both overriding and extension 
are functional operations in Baby Modula-3, but the corresponding type rules would 
be sensible for an imperative language as well. 

The type system also includes a subtype relation <. If A < B and a has type A 
then a has type B. The central rule for subtyping says that if B is an object type 
and A an extension of B then A < B, so for example [f : Nat,m : Nat] < Root and 
[f : Nat,m : Nat,f' : Nat,m' : Nat] < [f : Nat,m : Nat]. Modula-3 allows single inher- 
itance, and not multiple inheritance; the order of fields and methods matters in 
determining whether two object types are in the subtype relation. For example, the 
two types [f : Nat, m : Nat, f ' : Nat, m' : Nat] and [f ' : Nat, m' : Nat, f : Nat, m : Nat] 
are incomparable. Our rules correspond to single inheritance, but there would be 
little difficulty in dealing with multiple inheritance instead. Our semantics already 
models multiple inheritance. 

Finally, the type system includes a recursive-type construction. Recursive types 
arise often in dealing with objects, and for example the type of all objects that 
contain a field f of type Nat and a binary method m of return type Nat is the 
solution to the equation: 

X = [f : Nat,m : X-^Nat] 

There has been interesting recent literature on the interaction between subtyping 
and recursive types (e.g., (Amadio and Cardelli, 1991)). In our language this inter- 
action remains simple, and in particular it does not give rise to any special rules. 

The result that connects reduction and typing is the subject-reduction theorem. 
It says that types are not lost by reduction: if a a' and h a : A then h a' : A. It 
is a simple corollary that if h a : A then a does not reduce to wrong, and thus its 
evaluation does not produce a run-time error. 

2.3 Denotational semantics 

The denotational semantics of Baby Modula-3 needs to address the issues that arise 
from the typing of methods and from the use of subtyping and recursive types. As 
indicated, the main theme of our interpretation is the analogy between object types 
and recursive record types. 
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The type rules for Baby Modula-3 suggest comparing an object type such as 
[f : Nat,m : Nat,f' : Nat,m' : Nat] to a recursive record type, here the type T of all 
records with fields f and f ' with type Nat and with fields m and m' with type T— »Nat. 
We may define T as the solution to the equation 

X = ((f : Nat, m : X-^Nat, f ' : Nat, m' : X-^Nat)) 

where ((fm : Am, . . . , fn : An}} denotes the type of records with fields fm, . . . , f n with 
respective types Am, . . . , An. Perhaps because of the simplicity of Baby Modula-3 
(and of Modula-3) this analogy gets us quite far. To support it, we adapt standard 
methods for the solution of recursive type equations, with only a few technical 
surprises. 

But the analogy stops working when we consider the rules for subtyping. In our 
example, the problem is that the type function 

F(I) = ((f : Nat, m : X-^Nat, f ' : Nat, m' : X-^Nat}} 

is contravariant in X and we take its fixpoint in constructing a recursive record 
type. The result of taking a fixpoint of a contravariant function is unpredictable in 
general. In particular, even if F is pointwise smaller than G (say, in the < relation), 
it does not follow that the fixpoint of F is smaller than the fixpoint of G when F 
and G are allowed to be arbitrary contravariant functions. In our example, again, 
a bit of care in the definitions yields that F(l) is a subtype of 

G(X) = ((f : Nat,m : X-^Nat)) 

for each X, but the fixpoints of the two functions are unrelated. Hence the simple 
interpretation of object types based on recursive record types does not validate 

[f : Nat, m : Nat, f ' : Nat, m' : Nat] < [f : Nat, m : Nat] 

The solution to this problem remains elementary. The meaning of an object type 
A is defined to include all the values allowed by the meaning of A as a recursive 
record type, and also all the values allowed by the meaning of any extension of 
A as a recursive record type. It seems somewhat remarkable that such a simple 
solution does not introduce any new problems. Its only apparent disadvantage is 
that it may be hard to formulate the modified interpretation of object types within 
a usual typed language such as System F (Girard, 1972); and perhaps this is why 
it was not previously noticed. The modified definition can be given in our semantic 
framework. The resulting denotational semantics is sound, in that it validates both 
the reduction rules and the type rules. 



3 Syntax 

In this section we discuss syntactic aspects of Baby Modula-3. First we present all 
relevant definitions, for reduction and typing, and then we start the syntactic study 
of the language. 
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3.1 Expressions 

The grammar for terms is: 

a ::= x 

| f un(x : A)b 
I b(a) 
| nil 

| a[f = b, m = c] 

| a.f 

| a.m 

| a.f := b 

| a.m := c 

| wrong 

First we have variables, abstraction, and application. In the abstraction appears 
an expression A. It is intended that A range over type expressions, but the grammar 
for terms does not make a commitment to a particular type structure. Many type 
systems are possible; in the extreme type system with only one type expression, we 
have an untyped calculus. Subsection 3.2 includes a particular definition for type 
expressions. The operational and denotational semantics of terms do not depend 
on this definition. 

The object constructs are nil (the object with no fields or methods), object 
extension (a[f = b,m = c]), field reading (a.f), method invocation (a.m), assignment 
to a field (a.f := b), and method overriding (a.m := c). Note that the assignment 
expressions are terms, not commands; an assignment for an object a is intended 
to return the resulting value of a. Finally, we have wrong, the representation of a 
run-time error. 

Relation to Modula-3 

As a further explanation of the grammar just given, we briefly compare Baby 
Modula-3 to Modula-3. Readers not familiar with Modula-3 may want to skip this 
comparison. 

The syntax for variables and for applications in Modula-3 is the same as here; 
abstractions are given with an explicit name N and an explicit return type B, in 
the form PROCEDURE N(x : A) : B = RETURN b N; the constant nil is commonly 
written NIL. 

In Modula-3, objects are not built by extension. Rather, they are allocated com- 
pletely at once, with calls to NEW. In order to create the object that we write 
nil[f d = bd, me = ce] . . . [f i = bi, mj = cj], the call is 

NEW(A,fd := bd,me := ce, . . .,f i := bi,mj := cj) 

with A the type of the object created. The methods ce, . . . , cj could be arbitrary 
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expressions in the original Modula-3 (Cardelli et at, 1988). They must be top-level 
procedure constants in the current Modula-3. 

The Modula-3 syntax for reading a field and for assignment to a field is the 
same as here; the method invocation a.m is written a.m(). Modula-3 does not allow 
overriding of methods at the value level, but only at the type level. (Type declara- 
tions may include values for fields and methods, which are used as defaults in calls 
to NEW. Overriding at the type level means declaring a type with a new default.) 
Overriding at the value level does appear in other languages (e.g., (Steele, 1990)) 
and it is noticeably absent from the class-based languages discussed in Section 5. 
We include it for completeness and because its formal treatment remains simple, 
perhaps surprisingly so. 

3.2 Type rules 

Subsections 3.2.1 to 3.2.5 introduce the type rules of Baby Modula-3. The experi- 
enced reader may wish to skim the first three of these subsections to focus on the 
last two, which contain the rules for subtyping and those for relating values and 
types. 

3.2.1 Environments 

We start with three rules for proving judgements of the form h E, read "E is a legal 
environment." An environment is a list; empty denotes the empty list and a comma 
denotes list concatenation. 



h empty 

h E X not in E 

h E,X 

E h A x not in E 

h E, x : A 

3.2.2 Types 

Next come some rules for proving judgements of the form E h A, read "A is a legal 
type in environment E," and of the form E h A obj, read "A is a legal object type 
in environment E." An expression A such that E h A for some E is called a type 
expression. An expression A such that E h A obj for some E is called an object 
type expression. 

h E1,X,E2 
El,X,E2 h X 

E h A obj 
E h A 
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E h A E h B 
E h A-»B 

h E 
E h Root obj 

E h A obj EhB EhC no f,i in A 

E h A[f : B,m : C] obj 

E, X h A obj 
E h Mu(X)A obj 

Here no f in A means that f : B in A holds for no B, and f : B in A is defined by 
induction on A to mean that A advertises the field f with type B: 

• f : B in A[f : B,m : C]; 

• if f : B in A then f : B in A[f' : B',m' : C']; 

• if f : B in A then f : B[Mu(X)A/X] in Mu(X)A. 

The definition for methods is analogous. The relations f : B in A and m : C in A 
are decidable, as they can easily be computed following their inductive definitions. 
In examples, we use the types Nat and Real, but we do not treat them formally. 

Discussion 

The expression Mu(X)A represents a recursive type B such that B = A[B/X]. Note 
that the only recursive types allowed are object types. This restriction is easy to 
formulate using the judgments that distinguish object type expressions, E h A obj. 
There is neither difficulty nor fundamental gain in removing this restriction. 

Note also that environments may include the assumption that X is a type, but 
not that it is an object type. This means that object type expressions can be built 
by extension and recursion from Root but not from type variables. For example, 
X[f : Nat, m: Nat] is not an object type expression, and in fact it is not a type 
expression at all. In further work (with Cardelli), we hope to be able to treat object 
type variables by using kinds to classify types. 

Relation to Modula-3 

The Modula-3 syntax for A— >B is PROCEDURE(x : A) : B; the formal parameter x is 
made explicit. The type Root is commonly written ROOT; and A[f : B,m : C] is writ- 
ten A OBJECT f : B METHODS m() : C END. In Modula-3, recursive types are not ex- 
pressed with the Mu construct and with type variables; rather, they are declared 
with equations such as TYPE A = OBJECT f : A END. 

In Modula-3, the type NULL, which contains only NIL, is a subtype of every object 
type. We do not have an analogue of NULL, and in fact nil is not in every object 
type. 
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3.2.3 Type equalities 

The rules for type equality deal with judgements of the form E h A = B, read "A 
and B are equal types in environment E." Type equality is defined to be a congruence 
on type expressions. In addition, equality rules for recursive types have the effect 
of equating two type expressions whenever the infinite trees obtained from them by 
unfolding are equal. 

We omit the rules for type equality; the interested reader can consult the work 
of Amadio and Cardelli (1991). In what follows, we sometimes identify types that 
are provably equal, for simplicity. 

3.2.4 Subtypes 

The rules for subtyping deal with judgements of the form E h A<B, read "A is a 
subtype of B in environment E." Subtyping is reflexive and transitive. The only 
nontrivial subtyping is that between an extension of an object type and the object 
type, so that in particular Root is the largest object type. The function-space con- 
structor — > is neither covariant nor contravariant. Moreover, inheritance is simple 
and not multiple. 

E h A = B 
E h A<B 

E h A<B E h B<C 
E h A<C 

E h A obj EhB EhC no f,i in A 

E h A[f : B,m : C]<A 

Discussion 

To illustrate the use of the subtyping rules, we can show that B<A, where A and B 
are defined recursively by 

A = Mu(X)Root[f : X,m : X] 

B = Mu(Y)Root[f : A,m : A][f' : A',m' : A'] 

and A' is an arbitrary type expression. The subtyping proof starts by unfolding once 
each of A and B: 

A = Root[f : A, m : A] 

B = Root[f : A,m : A][f' : A'[B/Y],m' : A'[B/Y]] 

Then the rule for subtyping object types is applicable, and yields the desired result. 
This proof does not rely on any special rules for subtyping recursive types. However, 
in a more general context, rules for subtyping recursive types would be wanted (as 
in (Amadio and Cardelli, 1991)). 

In contrast, note that it is not provable that B<A, where A and B are defined 
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recursively by 

A = Mu(X)Root[f : X,m : X] 

B = Mu(Y)Root[f : Y,m : Y][f' : A',m' : A'] 

This subtyping would hold under an additional hypothesis: that the extension type 
constructor is monotonic with respect to the subtype relation (so that if Z<Z' and 
¥<¥' then Root[f : Z,m : W] < Root[f : Z',m : ¥']). It would then be provable that 
B < A, using sound rules such as those of Amadio and Cardelli. 

However, the additional monotonicity hypothesis is unsound in general. It is not 
hard to construct examples that illustrate this unsoundness. Consider the types 
C = Root[f : Nat,m : Nat] and D = Root[f : Real,m : Nat], with Nat<Real. We can 
build an object a of type C where the method m returns the value of the field f : let 
a = nil[f = 0, m = f un(z : C)(z.f )]. Suppose that C<D, and thus that a has type D. 
Then we can write (a.f := 7r).m and expect to obtain a result of type Nat, rather 
than 7r; hence, C^D. 

Similar examples demonstrate that extending Baby Modula-3 with subtypings 
such as B<A would be unsound as well. In some programs, the absence of these 
subtypings can be an obstacle. A simple remedy consists in incorporating dynamic 
typing into the language, as in Modula-3. With Cardelli, we are investigating a 
more complex but more ambitious remedy based on polymorphism 

3.2.5 Typecheckmg 

The typechecking rules are based on judgements of the form E h a : A, read "a has 
type A in environment E." In the rules for typechecking objects, we use auxiliary 
judgements of the form E h a : A Self =S. These are four-place judgements, relat- 
ing an environment E, a term a, and two types A and S; Self = is simply a keyword. 
Next we list the rules; the first one is called the subsumption rule. 

E h b : A Eh A<B 
E h b : B 

h El,x : A,E2 
El,x : A,E2 h x : A 

E, x : A h b : B 
E h f un(x : A)b : A-^B 

E h c : A-^B E h a : A 
E h c(a) : B 

E h a : A Self =A 
E h a : A 

E h S 

E h nil : Root Self =S 
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E h a : A Self =S E h b : B E h c : D-^C 
E h S<D no f,m in A 
E h a[f = b, m = c] : A[f : B, m : C] Self =S 

E h a : A E h A obj f : B in A 

E h a.f : B 

E h a : A E h A obj m : C in A 

E h a.m : C 

E h a : A Ehb:B f : B in A 
E h a.f := b : A 

E h a : A E h c : D-^C E h A<D m : C in A 
E h a.m := c : A 

Discussion 

The use of auxiliary judgements deserves explanation. When S is an object type, the 
proof of E h s : S is reduced to the proof of E h s : S Self=S, and later to similar 
proofs E h a : A Self=S, where s and S are extensions of a and A, respectively. 
The argument S preserves a record of what the original typechecking problem was. 
This is needed for typechecking methods in a; intuitively, S is taken as the type of 
"self" (s), the argument of the methods. In the rule for object extensions, methods 
are required to map S, or some supertype D of S, to the appropriate return type. 
The auxiliary type D is introduced for generality, to compensate for the omission 
of a rule of contravariance of — > in its first argument. With this rule, it would be 
equivalent to use S instead of D. A similar use of D is made in the rule for overriding. 

As an example, consider the problem of deriving the judgment h s : S when S 
is Root[f : Nat,m : Nat][f' : Nat,m' : Nat] and s is nil[f = b,m= c][f' = b',m' = c']. 
Using the rules given, it suffices to prove the judgment h s : S Self=S. In turn, 
h s : S Self=S can be obtained from the judgments h b' : Nat, h c' : S— »Nat, and 
h nil[f = b, m = c] : Root[f : Nat, m : Nat] Self =S; this last judgment can itself be 
proved from h b : Nat and h c : S— »Nat. Note that the method m in s will always 
be applied to an element of S, and that the condition h c : S— »Nat allows c to be 
fun(x : S)(x.m'). 

We deliberately omit any mechanism for unfolding recursive types in judgements 
of the form E h a : A Self =S. If A is a recursive type, then E h a : A Self =S is 
never provable. While the omission makes the type system simpler, it does not result 
in a loss of power. For example, if we were to include that mechanism, the proof of 
h nil : Mu(X)Root could be reduced to that of h nil : Mu(X)Root Self =Mu(X)Root; 
but it can also be reduced by unfolding to the proof of h nil : Root, and this proof 
succeeds without any new mechanism for unfolding. 

On the whole, the type rules are a little restrictive. In particular, they mean 
that extensions may be applied only to nil, to construct objects of the form 
nil[fd = bd,me = ce] . . . [f i = bi,mj = cj]. (Thus, the use of a general extension 
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syntax for objects is mostly a matter of taste.) For example, the rules do not provide 
a type for the function f un(x : Root[f : Nat, m : Nat])(x[f ' = 0, m' = f un(y : Root)0]) 
where extension is applied to a variable in the body. This limitation would disappear 
were we to include suitable subsumption rules among the type rules with Self=. 
These new rules seem sound, and they may be of some interest. 

3.3 Reduction rules 

In the structured operational semantics, some closed expressions are viewed as 
proper results: the function results f un(x : A)b, and the object results nil and 

nil[f d = bd, me = ce] . . . [f i = bi, mj = cj] 

where all of bd, ce, . . . , bi, cj are proper results and all the labels are distinct. All 
proper results are results, and in addition wrong is a result. 
We write f = b in a when a is an object result of the form 

nil ... [f = b, ...]... [fi = bi,mj = cj] 

then write a{f <— b'} for the result of replacing b with b', obtaining 

nil...[f = b',...]...[fi = bi,mj = cj] 

and write f in a when a is an object result and f = b in a holds for some b. The 
notations m = c in a, a{m <— c'}, and m in a have analogous definitions. 

The reduction relation a b ("a reduces to b") is axiomatized by the rules 
below. It is a binary relation between closed expressions and results. It is easy to 
see that each expression reduces to at most one result, and that a result reduces 
only to itself. 

f un(x : A)b => f un(x : A)b 

a => a' wrong) b => fun(x : A)b' b'[a'/x] => b" 
b(a) => b" 

a wrong 
b(a) wrong 

a a' b b' not a function result 
b(a) wrong 



nil nil 

a a' an object result no f,m in a' 
b b' (7^ wrong) c c' wrong) 
a[f = b, m = c] => a'[f = b', m = c'] 

a a' not an object result, or f or m in a' 
a[f = b, m = c] wrong 
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a =>• a' b =>• wrong 
a[f = b, m = c] =>• wrong 

a =>• a' b =>• b' c =>• wrong 
a[f = b, m = c] =>• wrong 

a =>• a' f = b in a' 
a.f =>- b 

a =>• a' m = c in a' c ( a ') d 
a.m =>• d 

a =>• a' no f in a' 
a.f =>• wrong 

a =>• a' no m in a' 
a.m =>• wrong 

a =>• a' f in a' b =>• b' wrong) 
a.f := b => a'{f <- b'} 

a =>• a' m in a' c =>• c' (neqwrong) 
a.m := c =>• a'{m <— c'} 



a =>• a' no f in a' 





a.f := 


b 


=>■ wrong 


a 


=> a' 




no m in a' 




a.m := 


c 


=>■ wrong 


a 


=> a' 




b =>• wrong 




a.f := 


b 


=>■ wrong 


a 


=> a' 




c =>• wrong 




a.m := 


c 


=>■ wrong 



wrong =>• wrong 



Discussion 

In these rules, we have made some choices of order of evaluation. We believe that all 
of the choices are reasonable, and they simplify our presentation. In particular, the 
rules for functions are usual ones for call- by- value reduction. More interestingly, we 
evaluate fields and methods before they are collected into objects, rather than delay 
their evaluation until they are accessed. Thus, if b does not reduce to a result, then 
neither do a.f := b and a[f = b,m = c] (unless they reduce to wrong). This seems 
like the most sensible choice for a call- by- value functional language, particularly 
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with the context of an imperative language in mind. In an imperative language, 
b may depend on program variables, and these have to be accessed before they 
change; b can even make reference to a.f . 

We have made other choices that cannot be detected in a typed setting. For 
example, the rules allow storing a non-function c as method of an object a, with 
a.m := c. An error is produced only if the method is invoked. However, if c is not a 
function then a.m := c is not typable; thus the possibility allowed by the reduction 
rules is irrelevant for well-typed programs. 

3.4 Subject reduction 

With the syntax of Baby Modula-3 complete, we start the study of syntactic prop- 
erties. We obtain a subject-reduction theorem: 

Theorem 1 

If a => a' and h a : A then h a' : A. 

A very typical substitution lemma and some additional syntactic observations 
are useful in the proof of the theorem: 

Lemma 1 

If A and B are closed, E, x : B h a : A, and h b : B for a result b, then E h a[b/x] : A. 

Proof 

The proof is by induction on the length of a proof of E, x : B h a : A. The only 
important cases are those to do with functions, and they are treated abundantly in 
the literature. D 

Proposition 1 

If E h a : A Self =S is derivable, then A is an object type expression of the form 
Root[f i : Bi,mj : Cj] . . . [f k : Bk,ml : Cl], and a is a term of the corresponding form 
nil[f i = bi, mj = cj] . . . [fk = bk, ml = cl]. 

Proof 

The proof is an easy induction on derivations. D 

Now we strengthen the claim of Theorem 1, and prove: 
Lemma 2 

Assume that a =>■ a'. 

• If h a : A then h a' : A. 

• If h a : A Self =S then h a' : A Self =S. 

Proof 

The proof is by induction on the length of the reduction derivation. The cases for 
reductions to wrong are vacuously true; we treat only one of them, as an example. 
Also, by Proposition 1, h a : A Self=S can hold only if a is built from nil by 
extension, and so we consider the second part of the claim only in the appropriate 
cases. Finally, we include only cases for the object constructs, the other ones being 
standard. 

In most of this proof, we work with types up to provable equality. 
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The case of nil =>• nil is trivial. 

Suppose that h a[f = b,m = c] : D and consider the rule: 

a =>• a' an object result no f,m in a' 
b =>• b' (7^ wrong) c =>• c' wrong) 
a[f = b, m = c] => a'[f = b', m = c'] 

The assumption implies that for some D' we have h a[f = b,m = c] : D' and 
h a[f = b,m = c] : D' Self=D', with D' (provably equal to) a subtype of D 
(possibly D itself). By Proposition 1 it follows that D' has the form A[f : B, m : C] 
and h a : A Self=D'. Moreover, it follows that h b : B and h c : G-»C for 
some G with h D' < G. By induction hypothesis, h a' : A Self=D', h b' : B, 
and h c' : G-^C. Hence, it follows that h a'[f = b',m = c'] : D' Self=D', and 
so that h a'[f = b',m = c'] : D'. Since h D' < D, subsumption yields the result 
h a'[f = b',m = c'] : D. 

In this case, because of the form of the terms involved, the second half of the 
subject-reduction claim is relevant. For this second half, we need to prove that 
h a[f = b,m = c] : D Self=S implies h a'[f = b',m = c'] : D Self=S. While 
this proof is not trivial, it is a simple variant of the one just given. 
Suppose that h a.f : B and consider the rule: 

a a' f = b in a' 
a.f => b 

Inspection of the type rules shows that h a : A for some object type A and, 
further, f : B' in A with B' (provably equal to) some subtype of B (possibly 
B itself). By induction hypothesis, h a' : A; since a' is an object result and 
f : B' in A, the proof of h a' : A must involve a proof of h b : B', and by 
subsumption we can obtain h b : B. 
Suppose that h a.m : C and consider the rule: 

a a' m = c in a' c ( a ') d 
a.m d 

As in the previous case, h a : A for some object type A and, further, m : C' in A 
where C' is provably equal to a subtype of C (possibly C itself). By induc- 
tion hypothesis, h a' : A. Now it follows that for some A' and D, h c : D— >C' , 
h A' < D, h A' < A, and h a' : A'. Subsumption yields h a' : D, and the type- 
checking rule for application yields h c(a') : C'. By induction hypothesis, 
h d : C'. Subsumption finally yields h d : C, as desired. 
Suppose that h a.f : B and consider the rule: 

a a' no f in a' 
a.f wrong 

As in the case where the value of a field is read without error, we obtain that 
h a' : A for some object type A and f : B' in A for some B' such that h B' < B. 
It is easy to see that this contradicts the assumption no f in a'. 
Suppose that h a.f := b : A and consider the rule: 

a a' f in a' b b' wrong) 
a.f := b => a'{f <- b'} 
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Much as in other cases, it must be that, for some A' and B, h a : A', h A' < A, 
f : B in A', and h b : B. By induction hypothesis, h a' : A' and h b' : B. Now 
a proof that h a'{f <— b'} : A' can be obtained from the proof that h a' : A' 
by replacing the typing proof for the f field of a' with the proof of h b' : B. 
The proof that h a'{f <— b'} : A follows by subsumption. 

• Suppose that h a.m := c : A and consider the rule: 

a a' m in a' c c' wrong) 
a.m := c a'{m <— c'} 

In the present case, it must be that, for some A', C, and D, h a : A', h A' < A, 
m : C in A', h c : D— >C, and h A' < D. By induction hypothesis, h a' : A' and 
h c' : D— >C. A proof that h a'{m <— c'} : A' can be obtained from the proof 
that h a' : A' by replacing the typing proof for the m method of a' with the 
proof of h c' : D— >C. The proof that h a'{f <— b'} : A follows by subsumption. 

□ 

Since the type rules do not give any type for wrong, it follows: 
Corollary 1 

If a a' and h a : A then a' is not wrong. 

4 Semantics 

This section concerns the denotational semantics of Baby Modula-3. Subsection 4.1 
is about the untyped semantics of the terms of the language; this part is relatively 
straightforward, although it involves a few subtle choices. Subsection 4.2, which is 
harder, gives a semantics for the type system. Subsection 4.3 is a short discussion of 
program verification. Subsection 4.4 briefly describes a second, stronger semantics 
for the type system. 

4-1 Semantics of terms 

We interpret the language in an untyped model. After describing this untyped 
model in the first subsection, we define the interpretation of the terms of Baby 
Modula-3. Subsection 4.1.3 relates this interpretation with the reduction rules of 
Section 3. The preliminary material on the untyped model is rather technical. It 
contains details not necessary for understanding most of the rest of the paper. 

4-. 1.1 Preliminaries 

The underlying assumptions on the untyped model are much as in (MacQueen et 
at, 1986); we assume a complete partial order (D, C) such that: 

• There is an increasing sequence p n : D^D of continuous projections with 
least upper bound the identity. Further, po constantly equals _L. 
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• There are strict, continuous embedding-retraction pairs (e,r) between D and 
each of O, {D^D) L , and (L^D). 

O D O 

(L^D) D (L^D) 

Here O is a two-point partial order {*}j_ ; we view * as the error value. As usual 
(£)—>£)) is the complete partial order of continuous functions from £) to D, and 
(D— t--D)j_ is its lifting. (The importance of lifting is discussed further below.) 
Finally, L is a set of labels {f 0, f 1, . . . , mO, ml, . . .}, and the summand (L— >£)) 
can be viewed, roughly, as the set of records over these labels. This summand 
is essentially a product (of D over L), and we can make this product strict or 
not. Having a strict product amounts to identifying all elements that map any 
label to _L, and interpreting them all as _L; a non-strict product keeps these 
elements separate. A strict semantics corresponds better to our reduction 
rules and is closer to full abstraction, while a non-strict semantics affords us 
more flexibility. The definitions below can be read with either choice. 
We omit the various e's and r's in most of what follows, and do not distinguish 
them. We view O, (£)—>£)), and (L— >£)) as subsets of D. 

• Let ; denote function composition, so that (x;y)(z) = y(x(z)). For all i, 

R+i( e (*)) = e (*) 

K+i(e(/)) = e( Pi ;f; Pi ) f G D^D 
p i+ i(e(o)) = e(o;pi) o £ L^-D 

An element v of D is finite if v C Uk(uk) implies v C w 8 - for some i, and the least 
n for which p n (v) = v is the rank of v. 

To obtain D, one can solve an appropriate domain equation, such as: 

D = O + (D^D) L + (L^D) 

by the usual "limit of a sequence of iterates" method. 

4-1-2 Definitions 

We define the semantics function for terms: 

[ ] : (V^D)^(E^D) 

where V is the set of variables and E the set of expressions. We call a mapping 
p in V— >D an environment and write [a] for the semantics of a term a with an 
environment p. When a is closed, we may write [a], omitting p since it is irrelevant. 

If / is a function (for example, an environment) and 1 is in its domain, we write 
/{l <— v} for the function that maps 1 to v and is otherwise identical to /. (The 
same notation is used for a different but related notion in Subsection 3.3.) 

We set: 
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[fun(x : A)b]„ = Au.([b]„ {1 _„ } ) 

[b(a)]„ = if [a] p 7^ * and [b] p £ (£)—>■£)) 
then [b]„([a]„) 
else * 

[nil] = the constantly * function in L^tD 
[a[f = b,m=c]]„ = if [a], £(£-►£>), [a]„(f) = *, [a]„(m) = *, 
[b]„ ^ *, and [c]„ ^ * 
then [a] p {f ^[b] p }{m^[c] p } 
else * 

[a.f], = if [a], £ (L^D) then [a]„(f ) else * 
[a.m], = if [a], £ (L->D) and [a] p (m) £ (D->D) 
then [a]„(m)([a]„) 

else * 

[a.f := b]„ = if [a], £ (L-tD), [a]„(f ) ^ *, and [b]„ ^ * 
then [a]„{f <- [b]„} 

else * 

[a.m := c]„ = if [a], £ (L-tD), [a]„(m) ^ *, and [c]„ ^ * 
then [a]„{m<-[c],} 
else * 
[wrong] p = * 

This definition is given in a metalanguage where conjunctions and conditionals are 
strict and evaluated left to right, and £ is a strict membership test. For example, 
if [a] = _L then immediately [a[f = b,m = c]] = _L. 

4-1-3 Soundness 

The main theorem about the term interpretation states the soundness of reduction. 
This theorem says that reduction does not change the meaning of programs: 

Theorem 2 

If a and b are closed and a =>• b then [a] = [b]. 
Proof 

The proof is by induction on the derivation of a =>• b. It relies on the observations: 

• If d is a result then [d] ^ _L. 

• If d is a result then it is a proper result if and only if [d] ^ *. 

• If d is a result then it is a function result if and only if [d] £ (£)—>£)). 

• If d is a proper result then [(fun(x : A)b)(d)] = [fun(x : A)b]([d]) = [b[d/x]]. 

• If d is a result then it is an object result if and only if [d] £ (L— >£)). 

• If d is an object result and f = b in d then [d](f ) = [b]. 

• If d is an object result and m = c in d then [d](m) = [c]. 
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• If d is an object result with no f in d then [d](f ) = *. 

• If d is an object result with no m in d then [d](m) = *. 

• If d is an object result with no f,m in d, and b and c are proper results, 
then [d[f = b, m = c]] = [d]{f <- [b]}{m <- [c]}. 

• If d is an object result with f in d and b is a proper result, then [d{f <— b}] = 
[d]{f <- [b]}. 

• If d is an object result with m in d and c is a proper result, then [d{m <— c}] = 
[d]{m <- [c]}. 

With these observations, we treat two cases as examples: 

• Suppose that a.f reduces to b using the rule: 

a =>• a' f = b in a' 
a.f => b 

Since a' is a result, [a'] ^ _L. Since f = b in a', a' is an object result, so [a'] £ 
(L^D), and [a'](f) = [b]. The induction hypothesis [a] = [a'] together with 
the definition of [ ] yields that [a.f] = [b]. 

• Suppose that a.f reduces to wrong using the rule: 

a =>• a' no f in a' 
a.f =>• wrong 

Since a' is a result, [a'] ^ _L. Since no f in a', [a'](f) = *. The induction 
hypothesis [a] = [a'] together with the definition of [ ] yields that [a.f] = *, 
that is, [a.f] = [wrong]. 

• Suppose that a.m reduces to d using the rule: 

a =>• a' m = c in a' c ( a ') d 
a.m =>• d 

Since a' is a result, [a'] ^ _L. Since m = c in a', a' is an object result, so 
[a'] £ (L^D), and [a'](m) = [c]. Moreover, since c is a result, [c] ^ _L. The 
rest of the proof is by cases: 

— Assume that [c] £ (£)—>£)). The induction hypothesis [a] = [a'] together 
with the definition of [ ] yields that [a.m] = [a](m)([a]), that is, [a.m] = 

[c] ([a']). Since [a'] £ (L^D), [c]([a']) = [c(a')], and the induction 
hypothesis [c(a')] = [d] yields that [a.m] = [d]. 

— Assume that [c] ^ (£)—>£)). The induction hypothesis [a] = [a'] together 
with the definition of [ ] yields that [a.m] = *. Moreover, [c(a')] = * 
because [a'] ^ _L, and the induction hypothesis [c(a')] = [d] yields that 

[d] = * as well. 

□ 

It is now easy to see why we take (£)— >£)) j_ rather than (£)—>£)) in the definition 
of the semantic domain. The lifting leaves room for a least function different from 
D's _L; this means that we can define the meaning of a result f un(x : A)b to differ 
from _L even if b is constantly _L. We take advantage of this freedom. This choice 
is embodied in the reduction rules, where evaluation does not go under function 
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binders; it is reflected in the denotational semantics; and it is then essential for 
the proof that the reduction rules are correct with respect to the denotational 
semantics. 

On the other hand, we do not take (L— >£))j_ instead of (L— >£)). The extra flex- 
ibility obtained by lifting (L— >£)), while not problematic, is unnecessary because 
we adopt a strict semantics of objects (so for example nil[f = b,m = c] denotes _L 
if b does). The treatment of a non-strict language may be a good exercise. 

It would be worthwhile to study the semantics further, and in particular to con- 
sider issues beyond soundness, such as adequacy and full abstraction. We postpone 
the study of these issues. 

4.2 Semantics of types 

Having given the semantics in an untyped model, we view the types as certain 
subsets of this untyped model. These subsets are ideals (MacQueen et at, 1986). 

Ideals suffice for our purpose — studying type rules. However, they do not yield a 
proper model of typed lambda calculi, because they do not validate one of the stan- 
dard equational rules for typed lambda calculi, the £ rule (see for example (Gunter, 
1992, pp. 44, 265)). We discuss the £ rule and alternatives to ideals in Subsection 4.4. 

After some preliminaries, we define the ideal interpretation and then use it to 
prove the soundness of the type rules of Baby Modula-3. As in the previous sub- 
section, the preliminaries are rather technical; the details are not essential for an 
intuitive understanding of the main definitions below. 

4-2.1 Preliminaries 
An ideal is a subset I of D with the properties: 

• / is nonempty; 

• / is closed downwards in the C order; 

• / is closed under limits of increasing sequences in the C order. 

We write Idl for the set of all ideals that do not contain *. By convention, the 
variables R, T , Rd, Te, . . . , and S range over Idl. In the next subsection, all types 
are interpreted as ideals in Idl. 

The distance between two ideals is 2 _r , where r is the minimum rank of the 
elements in one ideal but not the other, and it is 0 if the two ideals are equal. The 
set of all ideals with this distance function is a complete metric space, and so is 
Idl. Furthermore, by the Banach Fixpoint Theorem, if F is a contractive (distance- 
reducing) map between ideals then it has a unique fixpoint; and if it maps Idl to 
Idl, then the fixpoint is in Idl as well. This is the basis of the usual interpretation 
of recursive types. 

4-2.2 Definitions 
In this section, we define the semantics function for types: 

[ ] : (TV^\d\)^(TE^\d\) 
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where TV is the set of type variables and TE the set of type expressions. A mapping 
p in TV— 7>Idl is a type environment, and we write [A] for the semantics of a 
type A with the environment p. By definition, [X] = /o(X). For convenience, we 
merge environments and type environments, and call environments the functions 
in (V^D) n (TVM-Idl). 

The relation < is simply interpreted as ideal containment. The function-space 
operator is given by: 

R^T = {1} U {/ e (D^D) | f(R) C T} 

and we set: 

[A^B] p = [A]„->[B]„ 

It turns out to be useful to interpret expressions of the form A Self =S as ordinary 
types. Intuitively, A Self =S is much like the object type A, but the self-application 
present in the semantics of A objects is replaced with an application to an element of 
S. Thus, A Self=S is essentially a record type. For example, if A = [f : Nat,m : Nat] 
then A Self =S can be seen as the type ((f : Nat, m : S— »Nat}}, the type of all records 
with a field f of type Nat and a field m of type S— »Nat. 

The definition of [A Self=S] assumes that A is an object type expression. It 
relies on two auxiliary functions: 

• (A)^ is an obvious generalization of [A Self=S] , since we set: 

[A Self=S]„ = (A)f lp 

with 

( ): Idl-K7V->Idl)-KT£->Idl) 

• Given a list of ideals R, T, . . .and a list of labels f , m, . . . of equal length, 
1Z S (f : R,m : T, . . .) is the set of objects that map f to values in R, m to 
functions from S to T, .... This is a semantic version of the record type that, 
informally, can be written ((f : R,m : S— >T, ...)). 

The auxiliary functions are defined by: 

(Root)p = 

(A[f :B,m:C]>; = (A)^ C\TZ s (f : [Bj^m : [C]^) 

(Mu(X)A)^ = <A)^ [Mu(X)Au 

TZ s (f : R,m : T, . . .) = {o £ {L—>D) \ o(f ) GflA o(m) £ (S—tT) A . . .} 

The definition is by induction on the size of type expressions. The reference to [ ], 
whose definition is not yet complete, is justified below. 

As suggested in the overview, p(S)(A) p provides a reasonable interpretation for 
the object type A. This interpretation does not validate the rules for subtyping, but 
a simple variant does. Denoting the lub operation on ideals by (J, we define: 

[A], = [J{p(S)({A) S p r\TZ s (fd : Rd,me : Te, . . .)) | 

f d, me, ... a finite list of distinct labels not in A} 
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Roughly, [A] can be understood as the union of p(S)(B) p over all extensions B of 
A. It should be intuitively clear that this new interpretation is forced to validate 
the rules for subtyping, and we prove that it validates all other rules as well. 

The form of the semantic definition 

The functions ( } and [ ] are defined jointly by induction on the size of type 
expressions. In each case, (A) and [A] are defined in terms of (A'} and [A'] for A' 
smaller than A, with the exception of the case where A is a recursive type. In that 
case, the expression for (Mu(X)A) refers to [Mu(X)A] and vice versa. We have: 

[Mu(X)A]„ = |^J{//(5)((Mu(X)A)p C\TZ S {id : Rd,me : Te,. . .)) | 

f d, me, ... a finite list of distinct labels not in A} 
= U^( 5 )(( A )p{X^[Mu(X)A] p} n^(fd:M,me: Te,...)) \ 
f d, me, ... a finite list of distinct labels not in A} 

but this is equivalent to: 

[Mu(X)A]„ = p(T)\J{p(S)((A) S p{yi ^ T} mZ s (fd:Rd,me:Te,...))\ 
f d, me, ... a finite list of distinct labels not in A} 

= Mr)M„ {X ^ T} 

This reformulation removes the apparent circularity in the definition of ( } and [ ]. 

The definition of [ ] for object types relies on the existence of certain fixpoints. 
Corollaries 2 and 3 guarantee the existence of these fixpoints, and also say that 
they are included in L—^D. 

Finally, note that [A] cannot simply be defined as the union of p(S)(B) p over all 
extensions B of A. That appealing definition would be circular, because an extension 
B may mention A, like A[f : A,m : A], and then p(S)(B) p would itself be defined in 
terms of [A] . 

4-2.3 Soundness 

Next we check the soundness of the type rules with respect to our interpretation. 
We start with a number of propositions that simplify the argument. 

Basic properties of ( } 

Proposition 2 

For all S, f , R, m, T, . . . , TZ S (f : U.m: / ..... (L-kD). 

Proof 

This follows directly from the definition of 1Z S (f : R, m : T, . . .). D 
Proposition 3 

For all object type expressions A, all S, and all p, (A) C (L— >£)). 
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Proof 

The argument is an easy induction on the structure of A (more precisely, on the 
structure of a proof that A is an object type expression). D 

Proposition \ 

For all f , R, m, T, . . . , 1Z S (f : R,m : T, . . .) is contractive in S and in R, T, .... 

Proof 

First we check the claim for S. For 1Z S (f : R), this holds because n s '(f : i?) does 
not depend on 5 1 . For ^^(m : T), this follows from the contractiveness of — > (proved 
in (MacQueen et al., 1986)), since 1Z S (m : T) uses S as argument to — K These two 
cases imply the general case, since fl is nonexpansive and 1Z S (f : R, m : T, . . .) = 
TZ s (f : R) r\TZ s (m : T) n . . . . 

The claim for the other arguments, R, T , . . . , is handled similarly, since they too 
occur only as arguments to — h D 

Proposition 5 

For all object type expressions A and all p, (A) is contractive in S. 
Proof 

As for many of the propositions below, the argument is by induction on the structure 
of the proof that A is an object type expression. That is, we treat the cases of object 
type expressions of the forms Root, A[f : B,m : C], and Mu(X)A. In the last two cases 
we assume, as induction hypothesis, that the claim is true for A. 

• For Root, (Root)p is constant and hence contractive. 

• By definition, (A[f : B,m : C])^ is (k) S p nTZ s (f : [B^m : [C] p ). We obtain that 
(A[f : B,m : C])^ is contractive in S using the induction hypothesis, Proposi- 
tion 4, and the nonexpansiveness of fl. 

• By definition, (Mu(X)A)^ is (A)^x<-[Mu(X)A] }> anc ^ ^ ne induction hypothesis 
applies immediately (but using p{l <— [Mu(X)A]^} as environment). 

□ 

Corollary 2 

For all f , R, m, T, . . . , all object type expressions A, and all p, 

{k) S p mi s (f.R,m:T,...) 
has a unique fixpoint as a function of S. This fixpoint is included in L—^D. 
Proof 

Since fl is nonexpansive, Propositions 4 and 5 yield that (A) P\1Z s (f : R,m : T, . . .) 
is contractive in S, and hence has a unique fixpoint. Moreover, Propositions 2 and 3 
show that this function has range L—^D, and hence its fixpoint is in L—^D. D 

Proposition 6 

For all object type expressions A and all p, (A)^x<-T} ^ s contractive in T. For all 
type expressions A and all p, M^jx^-T} ls nonexpansive in T. 
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Proof 

The claims are proved together, with an induction over a derivation that h A obj 
or h A: 

• For A = X, the first result is vacuous (since X is not an object type expression) 
and the second one obvious. 

• For A a function type, the first result is vacuous and the second one obvious. 

• For A = Root, both results are easy, since Root does not depend on X. 

• For A = A'[f : B, m : C], the first claim follows from the induction hypothesis 
and Proposition 4, since fl preserves contractiveness; the second claim follows 
from the first one since U, fl, and p all preserve contractiveness. 

• For A = Mu(X')A', the first claim follows from the induction hypothesis, since 
(Mu(X')A')^ {X ^ T} = (A')p { x^T}{X'^[Mu(X')A'] p }; the second claim follows from 
the first one, as in the case of A = A'[f : B,m : C]. 

□ 

Corollary 3 

For all object type expressions A and all p, 

[J{p(S)((k) S p{ yr^ T} mZ s (td:Rd,me:Te,...)) \ 
fd,me, . . . distinct labels not in A} 

has a unique fixpoint as a function of T. This fixpoint is included in L—^D. 
Proof 

The first part follows from Proposition 6, since U, fl, and p all preserve contrac- 
tiveness. The second part follows from Corollary 2. D 

Proposition 7 

For all S, S, and p, 

[Root] = (Root)p = [Root Self=S] = (L^D) 

Proof 

We have (Root}^ = (L— >£)) from the definitions, and hence 

[Root Self=S] = (L^D) 

Now we can calculate the semantics of Root. It is given as a union, and one of 
the sets that participates in this union is p(S) (Root)^ . Since (Root)^ is identically 
L—^D, its fixpoint is L—^D. The other sets in the union are included in L—^D, by 
Corollary 2, so it follows that [Root] = (L-tD). □ 

Proposition 8 

For all f , R, m, T, . . . , 1Z S (f : R,m : T, . . .) is antimonotonic in S. 
Proof 

This follows immediately from the antimonotonicity of — > in its first argument, 
since II s {i : II. m : /..... uses S as first argument to — > in otherwise monotonic 
contexts. D 
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Proposition 9 

For all object type expressions A and all p, (A)^ is antimonotonic in S. 
Proof 

This proof is almost identical to that of Proposition 5. D 

Note that Proposition 9 would be false if A was somehow allowed to refer to S. Some 
object-oriented languages provide constructs that support analogous references to 
the "Self" type. The use of a bounded intersection ("bounded quantification") might 
be of help in recovering from this problem. If 5" is a new variable, the function 
Hscs'(A)p is guaranteed to be antimonotonic in 5"; it coincides with (A)^ for the 
language we treat. The viability of this solution may deserve investigation. 

On recursive types 

Proposition 10 

For all object type expressions A and all p, [Mu(X)A] (5 = M /9 {X<-[Mu(X)A] }• 
Proof 

By definition, [Mu(X)A] p equals ^{T)lk} p{Xi _ T} . In turn, ^{T)lk} p{Xi _ T} equals 
MWx^[Mu(X)A] p } b y unfolding. □ 

Proposition 11 

If A and B are type expressions with the same infinite unfolding then [A] = [B] 
for all p. 

Proof 

Proposition 10 shows the soundness of finite unfolding. The soundness of infinite 
unfolding follows because the semantics of a recursive type is the limit of the se- 
mantics of its finite unfoldings. (In a finite unfolding up to depth n, we "plug" 
with Root any branches that would go beyond depth n.) In turn, this limit prop- 
erty holds because [D[f : X, m : Y]] is contractive in the interpretation of X and Y, by 
Proposition 4, and because recursion can go only through the types of fields and 
methods in object types. D 



On subtypmg 

Proposition 12 

For all object type expressions A[f : B,m : C] and all p, 

[A[f :B,m:C]]„C[A]„ 
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Proof 

[A[f :B,m:C]]„ 

= U{A*(5)«A[f :B,m:C])*n7^(fd:iW,me: Te, . . .)) I 

fd,me, . . . distinct labels not in A[f : B,m : C]} 
= U{MS)«A>* mi s (t : [B]„,m : [C]„) n7^(fd : iW,me : Te, . . .)) | 

fd,me, . . . distinct labels not in A, not f , m} 
= {JMS)((k) S p mZ s (t :[B] p ,m:[C] p ,fd:iW,me: Te,...)) \ 

fd,me, . . . distinct labels not in A, not f , m} 
C{J{^S)((A) S p mZ s (td:Rd,me:Te,...)) \ 

fd,me, . . . distinct labels not in A} 

= M„ 

The inclusion step depends on the facts that f and m do not occur in A and that 

[b]„, [c]„ e idi. □ 

On extension and assignment 

Proposition 13 

If A is an object type expression with no f ,m in A, p an environment, and [a]^ G 
(A)^ [a]„(f) = *, [a]„(m) = *, [b]„ ^ *, [c]„ ^ *, then [a[f = b,m= c]]„ G {A) S p . 

Proof 

The argument is by induction on the structure of the proof that A is an object type 
expression: 

• For Root, we use Proposition 3: if [a] 6 (Root)^ then [a] 6 (L— >£)), and 
hence [a[f = b,m = c]] G (Root)^. 

• Consider an object type expression of the form A[fd : Bd,me : Ce], with fd and 
me distinct from f and m. If [a] G (A[fd : Bd,me : Ce]) S then [a] G (k) S , and 
then [a[f = b,m= c]]„ G {A) S p by [a]„(f) = *, [a]„(m) = *, [b]„ ^ [ c]p ^ 
and the induction hypothesis. In addition, [a] G TZ S (td : [BdJ^me : [Ce] ), 
and hence [a] G (X— >£)); since fd and me are distinct from f and m, and 
W p (f) = *, [a]„(m) = *, lb} p ^ * and [c]„ ^ *, we get [a[f = b,m = c]]„ G 
K s (fd : [Bd^me : [Ce]^). Therefore, if [a] p G (A[f d : Bd, me : Ce]) S p then 
[a[f = b, m = c]} p G (A[f d : Bd, me : Ce])* . 

• The case of object type expressions of the form Mu(X)A is handled by unfolding 
the definition of (Mu(X)A)* and invoking the induction hypothesis with the 
environment p{l <- [Mu(X)A] }. 

(In this proof, as in many others below, the case of expressions that denote _L is 
rather trivial, since ideals are required to contain _L by definition; we tend to ignore 
this case.) D 

Proposition 1\ 

For all R, T , and S: 
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• If o £ TZ S (f : R) then o(f ) ^ *. 

• If o 6 TZ S (m : T) then o(m) 7^ *. 

_Proo/ 

Since R G Idl, it cannot contain *. This settles the first claim. The argument for 
the second claim is almost identical, with S— >T instead of R. D 

Proposition 15 

For all object type expressions A, all S, and all p: 
. If [a]„(f ) ^ * and [b]„ ^ * then: 

— If [a], G (A)* and no f in A then [a.f := b]„ G (A)*. 

— If [a] G TZ S (fd : Rd,me : Te, . . .) and f is not among fd, me, . . .then 
[a.f := bj p £ II s {fd : Rd,me : Te,...). 

. If [a] p (m) ^ * and [c]„ ^ * then: 

— If hl p e {k) S p and no m in A then [a.m := c} p £ {k) S p . 

— If [a] G TZ S (td : Rd,me : Te, . . .) and m is not among fd, me, . . . , then 
[a.m:= cj p G TZ S (fd : Rd,me : Te,...). 

Proof 

For fields and for methods, the first claim is proved by induction on the structure 
of the proof that A is an object type expression, with a proof similar to that for 
Proposition 13; the second claim is proved directly from the definitions. D 

On reading and invocation 

We define an operator that reflects the self-application present in the semantics of 
object type expressions: 

\A] p = {oe(L^D)\oe(Af p {o} } 
where C{o} is the least ideal containing o, that is, {v \ v C o}. 
Proposition 16 

For all object type expressions A and all p: 

• If f : B in A and o G [A] then o(f ) G [B] 

• If m : C in A and o G [A] then o(m) G {D^-D) and o(m)(o) G [C] . 
Proof 

We obtain the first result by induction on the structure of the proof that A is an 
object type: 

• For Root the proof is vacuous, as Root has no fields or methods. 

• For A[f : B,m' : C], the proof is immediate from the definitions. 

• For A[f ' : B', m' : C] with f ^ f' the proof follows from the induction hypothesis. 

• Recursive object type expressions are handled by unfolding. 

The claim for methods is proved similarly. D 
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Proposition 17 

For all object type expressions A and all p, 

p(S)(A) S p C \A] p 

Proof 

The fixpoint considered exists, by Proposition 5. Now we argue by induction on the 
structure of the proof that A is an object type: 

• If A is Root, then the result follows from [Root] = (L— >£)), which in turn 
follows from Proposition 7. 

• Assume that A is A'[f : B,m : C]. Let T = p(S){k) , and let v be an element 
of T. By unfolding, such a v is also in (A) T p . The definitions yield v £ (A'} T p . 

By Proposition 9, we also have v £ (A') C p ^- v \ since C{v} C T. In addition, 
the definitions also give i>(f) £ [B] , and v(m)(u) £ [C] for every u £ T. In 
particular, for u = v, we get v(m)(v) £ [C] . The properties of ideals yield that 

v(m)(v') £ [C] for every v' C v. Combining these results with v £ (A') C p ^- v \ 
we obtain the desired conclusion from the definitions. 

• Assume that A is Mu(X)A'. We have: 




[Mu(X)A'] p = [A'l p{X ^ [Mu(X)A , u 

The result then follows from the induction hypothesis (used with the envi- 
ronment p{l <r- [Mu(X)A'] }). 

□ 



Mam results 

We say that p and E are consistent (and write p \= E) if whenever x : A occurs in E 
then p(x) £ [A]„. 

Theorem 3 

Assume that p \= E. Then: 

• If E h A then {A\ p £ Idl. 

• If E h A obj then [A] £ Idl and [A] C (L^D). 
. IfE h A = Bthen [A] p = [B] p . 

. If E h A<Bthen [A] p C [B] p . 
. IfE h a: A then [a] p £ [A]„. 

• If E h a : A Self=S then [a] £ [A Self=S] 

Proof 

The first claim follows immediately from the definitions. The second claim, discussed 
above, is a consequence of Corollary 2. The third claim follows from Proposition 11, 
which justifies the rules for equality of recursive object types. The fourth claim 
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follows from Proposition 12, which justifies the subtyping rule for object types. 
(The hypotheses of that rule imply that A[f : B,m : C] is an object type expression, 
so Proposition 12 is applicable.) It remains to check the soundness of the rules for 
typechecking; we discuss those related to objects. 

• For 

E h a : A Self =A 
E h a : A 

The assumption yields that A is an object type expression, by Proposition 1. 
Therefore, [A] p is defined as a union of fixpoints, one of which is n(S)(k) p . 

This set equals (A)^ p . Since [A] D fi(S){k) , Proposition 9 implies that 
^( s )( k ) s P In ghort; we obtain: 

= ^m(s)<A>; s 

2 <A>^ 

= [A Self=A] p 

• For 

E h S 
E h nil : Root Self =S 
Since [nil] G [Root] , the soundness of this rule follows from Proposition 7, 
which says that [Root] = [Root Self=S] for any S. 

• For 

E h a : A Self =S E h b : B E h c : D-^C 
E h S<D no f,m in A 
E h a[f = b, m = c] : A[f : B, m : C] Self =S 

By assumption, we have that [a] G [A Self=S] , [b] ^ *, and [c] ^ 
*. Moreover, Proposition 1 guarantees that A is an object type expression 
and gives the form of a, and from this form it follows that [a] (f) = * and 
[a] (m) = *. Proposition 13 implies that [a[f = b,m = c]] G [A Self=S] . 
The assumptions also yield [b] G [B] and [c] G [S] p — >[C] , and hence 

[a[f = b,m=c]] p G^(f :[B] p ,m:[C] p ). 

Now it follows from the definition of [A[f : B,m : C] Self=S] as the intersec- 
tion of [A Self=S] and ^ [S] "(f : [B] m : [C] ) that 

[a[f = b, m = c]} p G [A[f : B, m : C] Self =S} p 

• For 

E h a : A E h A obj f : B in A 

E h a.f : B 

The assumption that E h a : A means that: 

M P £ \jMS)({A) S p mi s (fd:Rd,me:Te,...))\ 
fd,me, . . . distinct labels not in A} 
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For [a] finite, it follows that [a] is in one of the sets that participate in the 
union, p(S)((A.) p PilZ s (fd : Rd,me : Te, ...)). (Infinite elements are handled by 
continuity.) Proposition 17 guarantees that [a] is in [A[fd : Rd,me : Te, . . .]] /, 
where Rd, Te, ... are new type variables and p' extends p to map them to Rd, 
Te, .... We also obtain that [a] p £ (X^D). 

Now, A[f d : Rd, me : Te, . . .] is an extension of A, and hence f : B in A implies 
f :B in A[fd:Rd,me:Te,...]. Since [a], G (L^D), [a.f], = [a]„(f), and 
Proposition 16 yields that [a.f] G [B] . 

• For 

E h a : A E h A obj m : C in A 

E h a.m : C 

The soundness argument for this rule resembles the previous one, using Propo- 
sitions 16 and 17. At the end of the argument, we use an additional fact 
obtained from Proposition 16, that [a] (m) 6 (£)—>£)); this is needed for 
guaranteeing that [a.m]^ = [a^m^a]^). 

• For 

E h a : A Ehb:B f : B in A 
E h a.f := b : A 

Since f : B in A, A must be an object type expression, and we can assume it 
is of the form A'[f : B, m : C], all other cases being similar to this one. Assume 
further that [a] is finite. (Infinite elements are handled by continuity.) 
If l & l p £ l A l p tnen l & l p is m some i dea l T Q l A l p °f tne f° rm 

p(S)((A) S p r\TZ S (fd : Rd,me : Te,.. .)) 

which equals 

p(S)((A') S p mi s (t: [B]„,m : [C]„) nil 3 (fd : Rd,me :Te,.. .)) 

and, by unfolding, 

{k'f p nll T (f : [B]„,m : [C]„) nft T (fd :Rd,me:Te,.. .) 

So [a] p £ TZ T (f : [B]^), and, by Proposition 14, [a] p (f) ^ *. If in addition 
M P £ W p , then [a.f := b]„ G TZ T (f : [B]„). Since A'[f : B,m : C] is an ob- 
ject type expression, we have no f in A', and f differs from f d, me, . . . , so 
Proposition 15 applies, and yields 

[a.f := b]„ G (k'f p nll T (f : [B]„,m : [C]„) nft T (fd : iW,me : Te, . . .) 

that is, [a.f := b]„ G T, hence [a.f := b]„ £ [A]„. 

• For 

E h a : A E h g : D-^C E h A<D m : C in A 
E h a.m := g : A 

The proof is similar to the previous one. The only difference is that here we 
use [g] p G [A],^[C] p and [A], D T in order to derive that [a.f := g} p G 
tt T (m:[C]„). 

The treatment of the rules not related to objects is standard. D 
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Corollary 4 

If p |= E and E h a : A then [a] ^ *. 
Proof 

If p |= E and E h a : A then [a] 6 [A] by Theorem 3. Moreover, E h a : A yields 
E h A, and so [A] G Idl by Theorem 3. Since * £ [A] , we obtain [a] ^ *. □ 

Corollary 5 

If a =>• a' and h a : A then a' is not wrong. 

Proof 

Any p is consistent with the empty environment, so if h a : A then [a] ^ *, by 
Corollary 4. In addition, if a =>• a' then [a] = [a'], by Theorem 2. Hence [a'] 7^ *, 
and a' is not wrong. D 

4-3 Reasoning about programs 

The denotational semantics can also serve in validating rules for reasoning about 
programs. We only start the explorations of such rules, by giving two simple exam- 
ples. 

• For assignment to fields, we have an inequational rule. The relation C is the 
evident syntactic representation of the domain order, as in Scott's LCF. 

E h a : A Ehb:B f : B in A 
E h (a.f := b).f C b : B 

In order to justify the rule, we observe that (a.f := b).f differs from b only 
when it denotes _L or *; moreover, the hypotheses exclude this last possibility. 
An analogue for this rule in an imperative setting might be that if P is a 
predicate, P(b) holds before the assignment a.f := b, and this assignment 
terminates, then P(a.f ) holds afterwards. 

• A similar inequational rule is sound for overriding: 

E h a : A E h c : D-^C E h A<D m : C in A 
E h (a.m := c).m C c(a) : C 

A useful project would be to extend the denotational semantics to a larger frag- 
ment of Modula-3, and then prove the soundness of a verification system for that 
language. This project is appealing because Modula-3 was designed with formal 
methods in mind and there are active efforts in the specification and verification of 
Modula-3 programs (Cardelli and Nelson, 1993; Guttag and Horning, 1993). 

4-4 A stronger semantics of types 

The ideal semantics of Subsection 4.2 does not validate all reasonable rules. For 
example, we might expect that a function in Root— S-Nat be constant, but it need 
not be in the ideal semantics. A stronger semantics may be based on per models 
(e.g., (Amadio, 1991; Cardone, 1989; Abadi and Plotkin, 1990)) or, perhaps better, 
on parametric per models (e.g., (Bainbridge et at, 1990)). 
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For the sake of simplicity, we do not use pers in the body of this paper. Here we 
sketch the modifications necessary for obtaining a per semantics, and then discuss 
the result. As Amadio and Cardone, we take a metric approach. Finding a per 
semantics along the lines of (Abadi and Plotkin, 1990) remains a challenge. 

A complete uniform per is a symmetric, transitive, binary relation R on D with 
the properties: 

• R is nonempty; 

• if uRv then (pi(u))R(pi(v)) for all i; 

• R is closed under limits of increasing sequences in the C order. 

The distance between two pers is 2 _r , where r is the minimum rank where the two 
pers differ, and it is 0 if the two pers are equal. 

The complete uniform pers that do not relate * to any value provide suitable 
denotations for type expressions. The collection of all such complete uniform pers 
is CUPer. 

The changes required in replacing Idl with CUPer are mostly local. Like ideals, 
complete uniform pers can be combined with intersection and (not as easily) with 
union. Furthermore, there is a suitable function-space operator: 

R^T = {(_L, J.)} U {(/, g) £ (D^D) x (D^D) | if xRy then f(x)Tg(y)} 

and we can solve fixpoint equations. As for object types, we update the definitions 
of (Root)^ and 1Z S (f : R, m : T, . . .); they become: 

(Root)p = (L^D) x (L^D) 

TZ s (f : R,m : T, . . .) = {(o, o') £ (L-tD) x (L-tD) \ 

(o(f ), o'(f )) ERA (o(m), o'(m)) £ (S->T) A...} 

Here, as in many other obvious places, we replace L^tD with (£—>■£)) x (£—>■£)). 
With this change, the propositions up to Proposition 12 are proved as for ideals. 
To adapt Propositions 13-15, we interpret v £ R as (v,v) £ R, for v a value and 
R a per. For Propositions 16 and 17, we note that the least complete uniform per 
containing o is C{o} = {(o, o)} U Ui{(Pi (o) , Pi (o))} . The main results follow. 

The advantages of pers over ideals in the semantics of typed lambda calculi are 
well known (see for example (Gunter, 1992, p. 266)). Basically, pers validate the £ 
rule, according to which if b and b' are equal as elements of B for all x in A then 
f un(x : A)b and f un(x : A)b' are equal as elements of A— >B. We benefit from this in 
Baby Modula-3, which is an extension of a typed lambda calculus. We also obtain 
new equalities of objects. For example, the functions in Root— S-Nat are constant. 
Further, if A is Root[f : Nat, m : Nat] and c and c' are equal as elements of A— »Nat 
then nil[f = 0,m = c] and nil[f = 0,m = c'] are equal as elements of A. 

The per semantics does not seem to validate all reasonable equations, however. 
Consider A' = Root[f : Nat,m : Nat][f' : Nat,m' : Nat], a subtype of A. The objects 

nil[f = 0, m = f un(x : A)0] 

and 

nil[f = 0,m = fun(x : A')(x.f ')][f ' = 0,m' = fun(x : A')(x.m')] 
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are not equal as elements of A, although they behave identically in any context that 
treats them as elements of A. 

5 Related work 

In the last few years there have been diverse works on the foundations of object- 
oriented programming. Some focused on untyped languages, for example Cook's 
thesis (1989). We have mentioned the influential papers of Cardelli and Mitchell, 
which concern typed languages. Here we discuss other works on typed languages. 
They are very recent and ongoing, and they seem to be the first to present thorough 
soundness results. The exact relations between the approaches are not entirely clear 
at this point. 

We can classify formal accounts of object-oriented languages along two dimen- 
sions, the language treated and the description method used: 

1. The language treated. There are several main families of object-oriented lan- 
guage. In class-based languages, methods are attached to classes, which are 
used to generate objects; in delegation-based languages, methods are attached 
to individual objects. In particular, delegation-based languages may allow 
overriding methods in individual objects (like Baby Modula-3). Such a fea- 
ture would be problematic in the class-based languages discussed below. 

2. The description method used. Some of the accounts are based on syntac- 
tic translations into more or less traditional higher-order languages, such as 
System F enriched with subtyping, recursion, and records; when the target 
language chosen is sufficiently well understood, this yields a denotational se- 
mantics as a side-product. Other accounts give a direct denotational seman- 
tics. 

Continuing his original work, now with Honsell and Fisher, Mitchell presents a 
delegation-based language (1993). The untyped version of this language and that of 
Baby Modula-3 are quite similar. The type systems seem incomparable: Mitchell et 
al. concentrate on inheritance, but do not provide a subtype relation. Their study 
is syntactic, and the main technical result is a subject-reduction theorem. 

Bruce (1993) treats a class-based language called TOOPL. The language includes 
a rich object system. It does not allow explicit recursion; rather, some recursion is 
obtained through the class mechanisms. Bruce's technique draws on a fairly long line 
of previous papers, such as (Cook et al., 1990). The method is essentially semantic, 
but parts of the constructions can be seen as translations into a language with 
recursion and F-bounded universal quantifiers. The result is rather complicated. 
However, it is possible that this complexity is intrinsic to the project of giving a 
semantics to TOOPL. 

Another interesting approach is that of Pierce and Turner (1993). Again, they 
treat a class-based language. This language is more limited than Bruce's, and in 
particular it lacks binary methods. (Pierce and Turner have gone on to propose a 
new way to model binary methods (1992).) The semantics of the language is based 
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on a translation, and it exploits abstract data types rather than polymorphic types 
and recursion. 

Castagna, Ghelli, and Longo (1992; 1992) suggest a very different view of object- 
oriented programming languages. They present a core calculus, with classes, sub- 
typing, and overloaded functions. It leads to an original treatment of constructs 
such as multiple dispatch in the CLOS style (Steele, 1990). (All the other papers 
discussed here deal only with single dispatch.) 

Modula-3 is a rather traditional language, with no classes, and so is Baby Modula- 
3. We present a semantic definition, but not a translation into a standard typed 
lambda calculus. It is however possible that the semantic definition may lead to 
such a translation. In particular, the union operation in our semantics of object 
types may correspond to an existential quantifier. Other semantic constructs clearly 
correspond to record types, and in that our work continues that of Cardelli and 
Mitchell. We leave as an open problem the definition of a translation from Baby 
Modula-3 into a standard typed lambda calculus. 

Thus, Baby Modula-3 differs significantly from the other languages used in formal 
studies, and the theory of objects presented relies on some new ideas and construc- 
tions. However, the various theories of objects seem compatible. A synthesis might 
be both viable and useful. 
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